Problem:
No way to handle a "tab moved" event.
Use-case: tabline plugins may cache tab labels, and need to know when to
invalidate their cache.
Solution:
Add a `TabMoved` event that triggers whenever tabs are reordered via `:tabmove`
or via mouse click-and-drag.
Problem:
After closing and reopening Neovim, ]' and [' fail with E92: Buffer 0
not found for marks restored from ShaDa. Direct jumps like 'a work
because mark_get_local() rewrites fnum before returning, but ]' uses
getnextmark() which does not, leaving fnum = 0.
Solution:
Set .fnum = buf->b_fnum when restoring local marks from ShaDa.
Problem: with a float focused and the target buf only shown in the
last non-float window, do_buffer_ext goes down the buf != curbuf
path. close_windows can't touch the last non-float, b_nwindows stays
> 0, close_buffer is skipped, returns OK silently.
Solution: if a non-float still holds buf after close_windows, jump
into it and recurse. Then buf == curbuf and the existing replacement
path takes over.
Problem:
There is a lot of overlap between terminal and prompt buffer, but no
easy way to limit the number of lines kept above the prompt to prevent
performance and other issues. This is desirable for both example
use cases in current documentation, chat UI and repl/shell plugins.
Solution:
Use existing 'scrollback' option to limit prompt-buffer lines
as well.
Signed-off-by: Tomas Slusny <slusnucky@gmail.com>
Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Problem:
API clients cannot query the tab-local value of 'cmdheight'.
Solution:
Allow nvim_get_option_value() to accept { tab = <tab-ID> } for 'cmdheight'.
Problem: matchfuzzy() can crash on long multi-word patterns.
Solution: Clamp pat_chars to maxMatches and stop before calling
match_positions() when the buffer is full (glepnir).
closes: vim/vim#2020988b00d1c57
Co-authored-by: glepnir <glephunter@gmail.com>
Define `:packupdate` and `:packdel` as separate commands instead of a
unified `:pack {subcommand}` because the semantics between the two
commands vary differently enough that it doesn't make sense to combine
them. Additionally, `:pack! update/del` looks bad.
Problem: out-of-bound read when recovering corrupted swap files
(Rahul Hoysala)
Solution: Validate the db_txt_start field when recovering a swap
file.
Supported by AI
de7a5b5425
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem:
Many color schemes assume the Comment hl group is dim text and use it
for secondary text, decorations, or parts of UI. This is true for many
color schemes but not all.
Solution:
Introducing a new highlight group with a more specific meaning, similar
to Underlined or Ignore.
The new group links to Comment by default so the behavior is unchanged
for color schemes that don't define it.
vim-patch:fbec828c7 CI: Bump the github-actions group across 1 directory with 2 updates
vim-patch:852f4f43c runtime(doc): Fix manpage typo in description of '--ttyfail'
vim-patch:9.2.0472: popup: column jitters when scrolled outside viewport
vim-patch:9.2.0474: MS-Windows: hard to tell which Visual Studio version was selected with MSVC
vim-patch:78302b7b4 translation(it): Update Italian manpage
vim-patch:9.2.0477: popup: leftover content after popup_free under layout change
vim-patch:9.2.0478: channel: redundant str/length assignments in channel_part_info()
vim-patch:9.2.0460: did_set_shellpipe_redir() in wrong file
vim-patch:9.0.2153: no support to build on OpenVMS
vim-patch:9.2.0290: Amiga: no support for AmigaOS 3.x
Problem:
The Lua test harness still ran through standalone -ll mode, so tests
depended on the low-level Lua path instead of the regular Nvim Lua
environment. That also meant os.exit() coverage had to carry an ASAN
workaround because Lua's raw process exit skipped Nvim teardown and let
LeakSanitizer interfere with the observed exit code.
Solution:
Run the harness and related fixtures with nvim -l. Patch os.exit() in
the main Lua state to exit through getout(), so scripts observe normal
Nvim shutdown while standalone -ll remains available for generator-style
scripts. As a consequence, the startup test can assert os.exit() without
disabling leak detection.
AI-assisted: Codex
Problem: Pasting ". register without TextPut* autocommands breaks
subsequent TextPut* autocommands (after 9.2.0470).
Solution: Only decrement add_last_insert if it has been incremented
(zeertzjq).
closes: vim/vim#20192a70b7a85af
Problem: No way to hook into put commands
(yochem)
Solution: Introduce TextPutPre and TextPutPost autocommands
(Foxe Chen).
fixes: vim/vim#18701closes: vim/vim#20144e0781bd5bf
Co-authored-by: Foxe Chen <chen.foxe@gmail.com>
Problem: vim.ui_attach() callback for nvim_echo() call that spoofs an
internal message kind is executed in fast context.
Solution: Set msg_show callback |api-fast| context dynamically at
external message callsites, and for internal list_cmd",
"progress" and "shell*" messages.
Problem:
When using prompt_appendbuf with multi-element list,
the first item is concated and rest replace the prompt instead of
inserting the lines before the prompt.
Solution:
Concat first element with replace_buf and insert the rest of the list
with set_buffer_lines.
Signed-off-by: Tomas Slusny <slusnucky@gmail.com>
Problem: evalvars_init() copies each vimvar's name into di_key at
startup and runtime-checks that the name fits in
DICTITEM16_KEY_LEN, even though all names are known at
compile time.
Solution: Embed the name in di_key via the VV_NAME macro so the
initialization happens at compile time. Drop the
runtime length check and the STRCPY loop (John Marriott).
closes: vim/vim#201851b65cfbac5
Co-authored-by: John Marriott <basilisk@internode.on.net>
Problem: 'title' is updated when changing the name of a non-current
buffer with nvim_buf_set_name().
Solution: Set RedrawingDisabled when renaming the buffer.
Problem: Message redirection column for captured output is not reset
after :echon since (4260f73, e63346df).
Solution: Ensure msg_ext_append is set before the kind with :echon.
CI currently uses clang-tidy 20, but this affects local builds
and CI is going to be upgraded sooner or later.
Some remaining systematic issues:
- clang-tidy warns agains any atoi() or atol() usage (because of no
error handling)
- functions which takes (char *fmt, char *only_string_arg) and expect
fmt to contain exactly one "%s" usage.
- error: initializing non-local variable with non-const expression depending on
uninitialized non-local variable (cppcoreguidelines-interfaces-global-init)
This is a much worse problem in C++ (hence C++ core guidelines) where
initialization is intermingled with arbitrary code execution. I
"think" in plain C, the linker will either resolve all these
deterministically or barf an error. But with some restructuring
we could make all static initialization actually static..
Problem: some functions can be run from the sandbox
Solution: Block them, so they are not accessible from a modeline
(q1uf3ng)
closes: vim/vim#19975fcc4276db3
Co-authored-by: q1uf3ng <q1uf3ng@protone.me>
This feature might be a little silly and niche, but it is very useful
for _my_ workflow (and open source is about mee)
An issue which is never present on high quality RELEASE builds, but
might occur on Debug builds is that the Nvim server crashes
on some error in your unfinished PR code. If you compile your debug
builds with sanitizers enabled, as you should, the ASAN/UBSAN runtime
will print some useful info about your mistake to stderr or a log file,
such as a stack trace. This can be used to jump to the error in the
code.
This allows the nvim server to install a signal hander in the ui client,
which can load this log file in a good safe version of nvim and parse it
using 'errorformat'
This is inspired by the "press ENTER" free workflow of ui2 and applies
it beyond the lifetime cycle of the nvim instance.
example config:
```lua
local asan = vim.env.ASAN_OPTIONS
if asan ~= nil and string.match(asan, "log_path=/tmp/nvim_asan") then
local myname = "/tmp/nvim_asan."..vim.uv.getpid()
local args = {"--embed", "-n", "+set efm=%+A%*[^/]%f:%l:%c", "+silent cfile "..myname, "+silent cfirst", "+silent copen"}
vim.api.nvim__set_restart_on_crash("nvim", args)
end
```
and run your debug nvim like so
ASAN_OPTIONS=handle_abort=1,handle_sigill=1,log_path=/tmp/nvim_asan ./build/bin/nvim
Problem: The four pointer-resolution loops in u_read_undo() lack
an i != j guard, so a header whose uh_next.seq equals
its own uh_seq resolves uh_next.ptr to itself. On
buffer close, u_freeheader() sees uhp->uh_next.ptr !=
NULL and skips updating b_u_oldhead, so u_blockfree()
dereferences the freed header on the next iteration.
The same pattern applies to uh_prev, uh_alt_next and
uh_alt_prev. A crafted .un~ file in the same directory
as a text file can trigger the use-after-free and
subsequent double-free when the buffer is closed.
(Daniel Cervera)
Solution: Add an i != j guard to each of the four resolution
loops, matching the guard already present in the
duplicate-detection loop above.
closes: vim/vim#20168
Supported by AI
4f610f07b7
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: Crash with invalid shellredir/shellpipe value
(bfredl)
Solution: Validate the option and allow only a single "%s".
fixes: vim/vim#20157closes: vim/vim#2015984ae09dd79
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: 'findfunc' only allows extra info for cmdline completion, not
for actually finding files (Maxim Kim, after 9.2.0451).
Solution: Handle returning a list of dicts when actually finding files.
Also fix crash on NULL string (zeertzjq).
fixes: vim/vim#20163closes: vim/vim#201649694ff58fe
Problem: 'findfunc' can't return extra info for cmdline completion
(Maxim Kim).
Solution: Handle 'findfunc' return value in cmdline completion like that
of "customlist" functions (zeertzjq).
fixes: vim/vim#20155closes: vim/vim#2015858124789aa
Problem:
When `:!` writes shell output to a buffer, write_output() splits on `\r`, `\n`,
and `\r\n`, replacing the terminator byte with NUL. For a binary-mode buffer
this is wrong: `\r` should be preserved verbatim, not treated as a line
terminator. This wrong behavior causes a file like `\r\n` round-trips through
`:%!cat` to `\n`.
This was masked when 'shelltemp' was enabled, because output went through a temp
file and the regular file I/O path handled binary-mode correctly. Switching the
default to 'noshelltemp' exposed the bug, since output is now piped directly
into write_output().
Solution:
In `write_output()`, skip the `\r` and `\r\n` splits for a binary-mode buffer;
only split on `\n`.
Problem: read_compound() in spellfile.c computes the size of the regex
pattern buffer using signed-int arithmetic on the attacker
controlled SN_COMPOUND sectionlen. With sectionlen=0x40000008
and UTF-8 encoding active the multiplication wraps to 27 while
the per-byte loop writes up to ~1B bytes, overflowing the heap.
Reachable when loading a crafted .spl file (e.g. via 'set spell'
after a modeline sets 'spelllang'). The cp/ap/crp allocations
have the same int + 1 overflow class (Daniel Cervera)
Solution: Use type size_t as buffer size and reject values larger than
COMPOUND_MAX_LEN (100000). Apply the same size_t treatment to
the cp/ap/crp allocations.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv9299332917
Co-authored-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Problem:
Linter missed backtick and double-quote keynames in the quasi-keyset of
the `nvim_create_user_command` docstring.
Solution:
Update the linter to check backtick-surrounded and quote-surrounded key
names.
Problem:
When showing the :connect menu, it is useful to know which servers
are most-recently active. But we don't have a good way to detect that.
Solution:
- Introduce `v:useractive`.
- Include this timestamp in `serverlist({info=true})`.
Co-authored-by: Justin M. Keyes <justinkz@gmail.com>
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
Problem:
parser_gc() calls ts_parser_delete() but leaves the userdata pointer
pointing to freed memory. If the GC finalizer runs at an unexpected time
(e.g. inside nvim_buf_get_lines #39411), a stale pointer could cause a crash.
Solution:
- NULL out `*ud` after ts_parser_delete() in parser_gc()
- Update parser_check() to handle NULL with a clear error message,
guarding all parser methods against UAF
Co-authored-by: Lewis Russell <lewis6991@gmail.com>
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
vim-patch:1de887681 No guidance for AI coding agents
vim-patch:9.2.0421: vimball: can smuggle Vimscript into VimballRecord file
vim-patch:620557bd4 runtime(doc): Update help tags file
vim-patch:9.2.0422: popup: leave stray char when scrollbar changes
vim-patch:9.2.0431: blob encoding can be improved
vim-patch:9.2.0434: cscope: filename interpreted by /bin/sh
vim-patch:9.2.0448: Vim9: dangling cmdline pointer after skip_expr_cctx()
vim-patch:9.2.0449: Make proto fails in non GTK builds
vim-patch:9.2.0409: memory leaks in copy_substring_from_pos()
Problem: Internal progress messages use the "nvim" source (since
ff68fd6b), plugins shouldn't be allowed to set the progress
message source to "nvim". The message ID used for internal
progress messages is not identifiable as such.
Solution: Disallow setting opts->source to "nvim" with nvim_echo().
Refactor msg_progress() and callees to bypass nvim_echo().
Prepend message id for internal progress messages with "nvim.".
